Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    January 2013
    S M T W T F S
    « Dec   Feb »
  • Email Subscription

  • About Us

    Archive for January, 2013

    1:03 am (UTC-7)   |    by

    In the past couple of weeks, there has been some breathless reporting about how iOS users could now install pirated apps without having to jailbreak their phones. This was made possible by certain Chinese app store-like services.

    Some of the reporting has been wondering how this was possible, but anyone with knowledge of iOS enterprise deployments knew what was going on. The same features which allow enterprises to deploy their own custom apps have now been abused to deliver pirated apps to users.

    This “newly discovered” method represents one of the methods to get malicious/fake apps onto the iOS devices. However, because the iOS sandbox has not been compromised, what each app can and can’t do is rather limited. The iOS app may try to send out some personal privacy information to external server which creates privacy data leakage problem.

    Read the rest of this entry »

    Posted in Malware, Mobile | Comments Off on Pirated App Stores on iOS?

    6:30 am (UTC-7)   |    by

    Apart from those apps that register users for unwanted services and those that aggressively push ads, Android users should also worry about apps with backdoor capabilities.

    While premium service abusers and adware accounted for the majority of malicious apps in 2012, they are, however, not the only threats to Android. Reports of a botnet running on more than a million of smartphones recently made the headlines, which goes to show that attacks aimed at Android devices are varied and far from over.

    Prior to these reports, we have been seeing these malware  since July 2012 and have so far detected 4,282 in the wild. The related samples we analyzed (detected by Trend Micro as ANDROIDOS_KSAPP.A, ANDROIDOS_KSAPP.VTD, ANDROIDOS_KSAPP.CTA, ANDROIDOS_KSAPP.CTB, and AndroidOS_KSAPP.HRX ) were from a certain third-party app store, though we suspect there are other available several sites. Typically, these apps are marketed as gaming apps, some of them bearing or are repackaged versions of popular gaming titles.

    The first batch of samples we analyzed was packaged using the same app title, purportedly from the same company.

    Once any of these malicious apps is installed in a device, it communicates to the following remotes sites to acquire compressed script then parses the said script:

    • http://{BLOCKED}y.{BLOCKED}
    • http://{BLOCKED}n.{BLOCKED}
    • http://{BLOCKED}

    Read the rest of this entry »

    Posted in Mobile | Comments Off on Android Malware Found to Send Remote Commands

    5:00 am (UTC-7)   |    by

    The “post-PC era” is a phrase which has been a veritable buzzword for some time. However, 2012 saw cybercrime expanding to mobile platforms, highlighting how threats have entered the post-PC era, too.

    Mobile Threats: 350,000 and Growing

    By the end of 2012, the number of Android malware grew to 350,000. This was a monumental growth from the 1,000 mobile malware we saw at the end of 2011. Much of this growth was driven by adware and premium service abusers, which accounted for a sizable majority of the seen growth.

    The popularity of Android in the mobile space means that it is now facing threats similar to what has faced Windows in the desktop space. This threat grew and became more sophisticated throughout the entire year, and we expect that this will continue into 2013.

    Data breaches and Malware: Business as Usual

    The year saw a continuation and evolution of many familiar threats. Data breaches and APTs continued to hit organizations large and small. Increasingly, the question is no longer if  a system will suffer a data breach, but when. Throughout the year, we discovered and looked into various information theft campaigns, as well as the tools used.

    Similarly, “conventional” threats mostly saw a gradual evolution in 2012. Phishing messages became harder to tell from real ones and were combined with the Blackhole Exploit Kit to mount highly effective attacks. Banking malware was significantly improved with the addition of automatic transfer systems which sped up the actual process of moving money to criminal bank accounts. Ransomware took the place of fake antivirus as the primary threat facing consumers. We also saw what we’ve dubbed the “children” of Stuxnet—Flame, Flamer, Gauss, and Duqu—due to similarities such as in code.

    Vulnerabilities and Exploits: Exploits Kits and Java

    Many of these attacks were made possible by vulnerabilities and exploits. We saw extensive usage of the aforementioned Blackhole Exploit Kit, which made it relatively easy for attackers to compromise targeted systems. The year saw the introduction of version 2.0 of the exploit kit, which was at least in part a response to successes in investigating the earlier 1.x version by security vendors (including Trend Micro).

    Java proved to be a serious security problem throughout the entire year. A zero-day vulnerability in Java 7 was found and exploited in August; our own data indicates that Java was the most targeted program via browsers in 2012. These problems were severe enough that vendors have taken steps to reduce the use of Java, with Apple going so far as to remove it from browsers on OS X computers.

    We have prepared two reports that outline the threats we saw in 2012. One, our Annual Security Roundup titled Evolved Threats in a “Post-PC” World, outlines the threats that we saw in the overall security landscape in the past year. The second, our Mobile Threat and Security Roundup titled Repeating History, examines the threats in greater depth the threats in the mobile landscape in the past year. You can read these reports by clicking on their titles, or their respective covers below:

    Posted in Exploits, Malware, Mobile, Social, Vulnerabilities | Comments Off on 2012 Annual Security Roundup: Post-PC Threats

    Just days after its release on the Apple App Store, some sites are already offering their own dubious versions of Temple Run 2 for Android.

    With 20 million downloads just 4 days after its release on the Apple App Store, Temple Run 2 is indeed highly-anticipated among Temple Run fans and gaming fanatics. While the Android version of the game is scheduled for release this Thursday, we already found certain websites peddling what appears to be Temple Run 2 for Android.

    We downloaded a supposed Temple Run 2 app and analyzed it. Luckily, the apps (detected by Trend Micro as ANDROIDOS_FAKETEMPLRUN.A) do not exhibit any noteworthy malicious routines. However, they do send ad notifications to users. And to rub salt to wound, both apps do not run the actual Temple Run game.


    We also noticed other sites that offer Temple Run 2. Looking closely at the description of one of these sites, the developer posted a disclaimer about the app. Though the site does not exhibit any harmful routine, the use of Temple Run 2 to persuade users to download the “wallpaper” app (some sites offer a puzzle app, among others) is quite suspect.

    Read the rest of this entry »


    Shylock malware which spreads via Skype is not the only threat that users should be worried about. We found another worm that takes advantage of Skype to spread copies of itself.

    Reports of Shylock malware found on certain Skype messages was a hot topic last week. We looked into the related samples and based on our analysis, the malware (detected as WORM_BUBLIK.GX) downloads and loads additional plugins that include {C&C}/files/010-update-vl0d3/msg.gsm (detected as WORM_KEPSY.A). Once executed, this malicious plugin has the ability to clear Skype message history.

    The other threat we found on Skype, detected as WORM_PHORPIEX.JZ, drops copies of itself in all removable drives. Similar to WORM_BUBLIK.GX, users may encounter this threat as a Skype message with links to the malware. WORM_PHORPIEX.JZ connects to specific Internet Relay Chat (IRC) servers and joins the channel #go. It also downloads and executes other malware onto the system and sends email messages containing an attachment, which is actually a copy of itself.

    WORM_PHORPIEX.JZ also downloads the plugin WORM_PESKY.A, which generates the Skype message containing the following details:


    We looked into the number of infections for WORM_PHORPIEX using Trend Micro™ Smart Network Protection™ feedback and found out that 83% of infected machines came from Japan.

    Read the rest of this entry »

    Posted in Malware, Spam | Comments Off on Shylock Not the Lone Threat Targeting Skype


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice